Detecting Rare SMB Connections for Potential NTLM Credential Theft

This detection strategy focuses on identifying unusual Server Message Block (SMB) traffic that originates from internal IP addresses and connects to external networks. The SMB protocol, commonly used for file and printer sharing within a network, can be exploited to exfiltrate data by injecting rogue UNC paths to capture NTLM credentials. This activity is often associated with threat actors attempting to steal credentials for lateral movement or data exfiltration. Defenders should be aware of this technique as it allows adversaries to bypass traditional security controls by leveraging a legitimate protocol for malicious purposes. This detection is relevant for environments utilizing Windows operating systems and SMB for internal network communications. The goal is to identify and alert on SMB connections to external IPs, excluding known safe ranges and legitimate business applications.

Attack Chain

1. An attacker compromises an internal system via phishing or other means (not detailed in source).
2. The attacker injects a rogue UNC path into a document, email, or other medium.
3. A user opens the malicious document or clicks the injected link, triggering an SMB connection to a malicious external server.
4. The SMB connection attempts to authenticate with the user’s NTLM credentials.
5. The attacker captures the NTLM hash from the authentication attempt.
6. The attacker attempts to crack the NTLM hash to obtain the user’s password.
7. Using the cracked password, the attacker gains unauthorized access to other systems and resources on the network.

Impact

Successful exploitation can lead to credential theft, allowing attackers to gain unauthorized access to sensitive data and systems within the organization. This can result in data breaches, financial losses, and reputational damage. The impact is significant because SMB is a common protocol within many Windows environments, making this technique highly effective if not properly monitored.

Recommendation

• Deploy the Sigma rule “Detect SMB Connection to External IP” to your SIEM to identify potentially malicious SMB connections to the internet. Tune the rule by excluding known good external IPs used by legitimate services.
• Enable Sysmon Event ID 3 (Network Connection) with proper filtering to capture SMB traffic details as recommended in the linked setup guide, to enhance the fidelity of the detection.
• Implement network segmentation to restrict SMB traffic to only necessary internal communications, reducing the attack surface and mitigating the risk of external exposure.